Deploy SSO with CAS 2.0

The Central Authentication Service (CAS) is a single sign-on (SSO) protocol that enables a user to access multiple applications using one set of credentials. This protocol works in conjunction with the CAS server, which handles all the user connections to your Microsoft Exchange and LDAP servers.

You can deploy CAS server into Apache Tomcat or your own Web Help Desk server.

Deploy CAS Server on Apache Tomcat

Before you deploy single sign-on with CAS 2.0 in your Web Help Desk deployment, configure the CAS module for LDAP and Active Directory communications.

Download 7-Zip

The 7-Zip utility is a free open source file archiving utility you can use to complete this procedure.

  1. Navigate to the 7-zip website.
  2. Download and install the 7-Zip archive utility on your system.

Download the CAS Server file

  1. Navigate to the Apereo website.
  2. Click v3.5.1.
  3. Scroll down and click cas-server-3.5.1-release.zip to download the ZIP file.
  4. Extract the contents of the ZIP file to a local directory.
  5. Open the cas-server-3.5.1 directory and click modules.
  6. Copy the cas-server-webapp-3.5.1.war file to your local directory.

Edit the WAR file

  1. Download the deployerConfigContext.txt file from the SolarWinds Documentation website and save the file to your local directory.
  2. Open the file in Notepad and copy the content to your clipboard.
  3. Right-click the cas-server-webapp-3.5.1.war file and select 7-Zip > Open Archive.
  4. Double-click the WEB-INF directory.

    The directory displays.

  5. In the archive, right-click the deployerConfigContext.xml file and select Edit.
  6. Paste the content in the archive file, overwriting the existing content.
  7. In the updated deployerConfigContext.xml file, update the file variables for your deployment.
    1. Locate the following parameter. If you are using an SSL connection, use ladps:// in the path.

      <property name="url" value="ldap://127.0.0.1:389" /> 
      
    2. Replace the value variable with the IP address of your LDAP server.
    3. Locate the following parameter:

      <property name="userDn" value="ldap_admin@yourdomain.com" />
    4. Replace the value variable with the email address of your LDAP administrator.
    5. Locate the following parameter:

      <property name="password" value="ldap_admin_password" />
    6. Replace the value variable with your LDAP admin password.

    7. Locate the following parameter:

      p:filter="sAMAccountName=%u" p:searchBase="DC=yourdomain,DC=com"
    8. Ensure that the LDAP p:filter search filter matches your LDAP configuration settings.
    9. Replace the p:searchBase variable with your domain settings.
    10. Save and close the file.
  8. Download the cas.properties.txt file from the SolarWinds Documentation website and save the file to your local directory.
  9. Open the cas.properties.txt file in Notepad and copy the content to your clipboard.
  10. In 7-zip, right-click cas.properties and select Edit.
  11. Paste the content to the cas.properties.xml file in 7-Zip, overwriting the existing content.
  12. In the updated cas.properties.xml file, update the file variables for your deployment.
    1. At the top of the file, locate the following parameter:

      server.name=http://localhost:8080
    2. Replace the server.name variable with the Web Help Desk server address. For example:

      http://whd.example.com

    3. Under # Unique CAS node name, locate the following parameter:

      host.name=cas01.yourdomain.com
    4. Replace yourdomain.com with your domain name.

      The host.name parameter is used to generate unique service ticket IDs and SAML artifacts. This is usually set to the specific hostname of the machine running the CAS node. However, it could be any label as long as it is unique in the cluster.
    5. Save and close the file.

      Leave the 7-Zip archive open.

Download and apply the dependencies

  1. Navigate to the following links and download the corresponding dependency files in JAR format to your local directory.

    Download Link Dependency File
    CAS Server Support LDAP v3.5.2 cas-server-support-ldap-3.5.2.jar
    Commons Pool v1.6 commons-pool-1.6.jar
    LDAPTIVE Core v1.0.5 ldaptive-1.0.5.jar
    Spring LDAP v1.3.1 release (All)

    spring-ldap-1.3.1.RELEASE-all.jar

    This file needs to be unzipped.
  2. Drag all downloaded dependencies to the archive directory.

    All new and modified files display in the 7-Zip archive directory.

  3. Extract the files to a separate directory.
  4. Select all files.
  5. Right-click and select 7-Zip > Add to archive.
  6. In the Archive name field, enter cas.war and save the archive.

    The archive displays in the directory.

  7. Close 7-Zip.

Deploy CAS server on Apache Tomcat

  1. Stop the Web Help Desk service.
  2. Copy the cas.war file to the /bin/webapps directory in your Apache Tomcat deployment.
  3. Start the Web Help Desk service.

  4. Verify that the HTTPS port is enabled on Apache Tomcat.

Complete your CAS server deployment

Configure a Group Policy Object (GPO) to push the appropriate Windows login credentials to your Internet Explorer settings. This process enables authenticated users to access the Web Help Desk server without having to log in. GPOs define the settings for your Windows server configuration, and Group Policies apply these settings.

See Configure a GPO to push Internet Explorer settings for more information.

Enable SSL on Web Help Desk

  1. On your Web Help Desk system, open File Explorer and navigate to:

    <WebHelpDesk>/conf

  2. In the conf directory, open the whd.conf file in Notepad.
  3. In the file, comment out the following entry:

    HTTPS_PORT=443

  4. Save and close the file.
  5. Use Porteclé to create a new certificate.

    See Generating a New Certificate in Porteclé for more information.

  6. Insert the certificate to the following location:

    /conf/keystore.jks

  7. Restart Web Help Desk.

Deploy CAS 2.0 on the Web Help Desk server

  1. On your Web Help Desk system, click Setup > General > Authentication.
  2. Click the Authentication Method drop-down menu and select CAS 2.0.
  3. In the CAS login URL field, enter:

    https://fqdn:port/cas/login

  4. In the CAS validate URL field, enter:

    https://fqdn:port/cas/serviceValidate

  5. Under Verification certificate, click Upload and select a certificate that uses CAS for signing the responses.

    Select keystore.jks to upload the Web Help Desk Tomcat certificate.

  6. In the Logout URL field, enter:

    https://fqdn:port/cas/logout

  7. Click Save.

    You can now log in using CAS 2.0.

Configure a GPO to push the Internet Explorer settings

Configure a Group Policy Object (GPO) to push the appropriate Windows login credentials to your Internet Explorer settings. This process allows authenticated users to access the Web Help Desk server without having to log in. GPOs define the settings for your Windows server configuration, and Group Policies apply these settings.

  1. Log in to the Web Help Desk domain using the Domain Administrator account.
  2. Click Start and select Run.
  3. In the Run field, enter the following command and then click OK:

    mmc

    The Microsoft Management Console displays.

  4. In the File menu, click Add/Remove Snap-In > Add.
  5. In Available snap-ins, double-click Group Policy Management Editor and then click OK.
  6. In Select Group Policy Object, click Browse.
  7. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.
  8. Click Finish, and then click OK.
  9. In the Default Domain [yourdomain.com] Policy console tree, expand the following path:

    User Configuration, Policies, Windows Settings, Internet Explorer Maintenance, Connection

  10. Double-click Automatic Browser Configuration.
  11. Clear the Automatically Detect Configuration Settings check box, and then click OK.
  12. In the Default Domain [yourdomain.com] Policy console tree, go to:

    User Configuration > Policies > Windows Settings, Internet Explorer Maintenance, Security Zones and Content Ratings

  13. Click Import the current security zones and privacy settings.
  14. When prompted, click Continue and then click Modify Settings.
  15. In the Internet Properties dialog box, click the Security tab.
  16. Click Local Intranet, and then click Sites.
  17. In the Add this website to the zone field, enter:

    *.yourdomain.com

  18. Click Add.
  19. Select the following checkbox: 

    Require server verification (https) for all sites in this zone.

  20. Click Close.
  21. Click OK.